The cyber war between Israel and Hamas continues to attract volunteer participants, including Israeli civilians, Anonymous members, and Palestinian sympathizers from Pakistan and Bangladesh. The conflict raises (again) questions about how cyberspace conflict among states and non-state actors might be moderated or limited—do the lawyers among our readers see useful analogies in admiralty law? Such conflict appears certain to become more common, especially as companies consider offensive operations against cyber attackers. (Crowdstrike is the most recent prominent advocate of vigilantism.)
Phishing attacks proliferate. Backdoor.Makadocs turns Google Docs into a surrogate command-and-control server (Brazilian Windows 8 users are particularly affected). An attack on an Australian primary school shows how common and effective ransomware exploits have become.
Human resources departments, despite handwringing over vulnerabilities, increasingly allow employees to use social media at work. Security guru Bruce Schneier argues that cyber attackers enjoy enduring advantages over intelligence tools used to predict attacks (in fighter-pilot terms, the hackers are always inside the defenders' OODA loop).
Most CIOs remain skeptical of cloud security even as Britain's National Health Service moves to G-Cloud for better email security. US defense contractors pull in their horns and stockpile cash in anticipation of budget cuts. Intel's CEO Otellini will retire in the spring. (Analysts note Intel's failure to dominate the mobile chip market.)
Researchers at Toshiba and Cambridge University develop a way of securely distributing keys over high-speed fiber. Stanford researchers make progress in forcing quantum entanglement.
US investigators continue to call Chinese telecom manufacturers a security threat.
Today's issue includes events affecting Australia, Bangladesh, Belgium, Brazil, Ireland, Israel, Pakistan, Palestinian Territories, Philippines, Spain, Switzerland, United Kingdom, United States..
Anonymous escalates its 'cyberwar' against Israel(CNet) Anonymous' hacking campaign against Israel to protest its attacks on Gaza escalated today with the release of a list of thousands of individuals who supposedly donated to a pro-Israel organization. The collective posted a Pastebin document that it said featured names -- and in some cases home addresses and e-mail addresses -- of donors for the Unity Coalition for Israel, which claims to represent "the largest network of pro-Israel groups in the world." The document appears to be quite old: one of the military e-mail addresses belonged to Douglas Feith, the U.S. undersecretary for defense under Bush, who left that job in 2005
When Virtual-States Attack Nation-States(AOL Government) Sources familiar with the turn of events in Israel say that now the Israeli government has confirmed publicly that a massive cyber attack targeting them is underway. This raises a number of questions. How will a nation-state, such as Israel, respond to
Malware uses Google Docs as proxy to command and control server(CSO) Backdoor.Makadocs variant uses Google Drive Viewer feature to receive instructions from its real command and control server. Security researchers from antivirus vendor Symantec have uncovered a piece of malware that uses Google Docs, which is now part of Google Drive, as a bridge when communicating with attackers in order to hide the malicious traffic
Windows 8 Malware Using Google Docs to Target Brazilians(Threatpost) New malware targeting Windows 8 appears to be using Google Docs as a proxy server instead of directly connecting to a command and control (C&C) server. According to research done by Symantec and discussed in the company's Security Response blog late last week, a Trojan, Backdoor.Makadocs, targets Windows 8 - along with Windows Server 2012 - yet doesn't use any of the software's particular functions as an exploit vector
Blackhole exploits lead a black month for malware(Help Net Security) In October, GFI Software threat researchers uncovered a large number of Blackhole exploits disguised as Windows licenses (just prior to the release of Windows 8), Facebook account verification emails
Cyber-criminals hit primary school(Northern Star) A Byron Bay primary school has been the latest victim of sophisticated cyber crime in which their server was digitally "kidnapped" and held for ransom. Two weeks ago Byron Community Primary School's server was hacked. All data became inaccessible and vital daily tasks such as updating roles, recording financial transactions, and entering health records were impossible
Fake tsunami news report leads to malware(Help Net Security) Fake news about celebrity deaths and impending natural disasters are often employed by online scammers and malware peddlers aiming to trick users into clicking on malicious links without thinking
Belgium - phishing fraudsters plunder hundreds of bank accounts(Wordpress) Flemish banks are currently being pummeled by a massive phishing attack. Over hundred Belgians have already been cleaned out of all money on their bank accounts. Fraudsters committed the crimes using email phishing and telephone calls to get hold of bank account numbers and pin data
Security Patches, Mitigations, and Software Updates
Adobe Patches DoS Flaw in ColdFusion 10(Threatpost) ColdFusion patchAdobe has addressed a denial-of-service vulnerability in the ColdFusion platform and an update is available. ColdFusion is Adobe's platform and application server used by developers to build Web applications
Urgently Needed: A Dumber, Tougher Grid(IEEE Spectrum) That's not to say a smarter grid will not also help. Since the hurricane and "nor'easter" that devastated the New Jersey and New York coasts two weeks ago, leaving millions without heat, gasoline and electricity, there has been a lot of loose talk about how a smarter grid might moderate the effects of such catastrophes in the future
Anticipating threats ineffective in enhancing security (ZDNet) Companies looking to predict cyberthreats to fend off attacks will not improve their IT systems' security robustness as the criminals responsible will evolve and develop their technologies accordingly. Speaking at a seminar here Monday, Bruce Schneier, chief security technology officer at BT, said technology has affected the balance of society and social mechanisms such as law and punishment, which help keep people in check so they will not commit crimes, online or otherwise. For instance, the Internet has given rise to anonymity and made it easier for cybercriminals to perpetrate their attacks without getting caught, Schneier observed
The Future Of Cyber Security(WOUB) On this edition of Conversations from Studio B, host Tom Hodson talks with with cyber communication security experts Danny OBrien and Andrew Lewman. OBrien is an Internet advocacy coordinator for the New York based Committee to Protect Journalists, and is a leading authority on cyber security threats. Lewman is the leader of the Tor project, which develops technology to allow journalists and others to scramble their communications when operating overseas
Panetta's Wrong About A Cyber 'Pearl Harbor'(ForeignPolicy.com) In recent months, the specter of a looming cyber "Pearl Harbor" has reappeared -- the phrase having first come into use in the 1990s. But it is the wrong metaphor
Generation Tech: Gifted but a long way from bad(Help Net Security) They have been described as technology's Generation Y or Generation Tech: an undisciplined, impulsive, entitled horde of twenty-something workers, seen as one of the biggest security challenges ever
How teens hide their online activity(Help Net Security) A European survey commissioned by McAfee has revealed an alarming disconnect between what teens are getting up to online, and what parents are aware of. Many UK teens are accessing inappropriate content
81% don't trust cloud security(Help Net Security) 81 percent of IT professionals express security concerns when moving data to the cloud, according to a recent survey by GreenSQL. The survey focused on one question: "What is your main security
NHS anticipates move to G-Cloud for secure email services(Computer Weekly) The NHS Commissioning Board is looking to use multiple secure email providers via the governments G-Cloud framework. The move would be the largest deal yet to go through G-Cloud, pushing many millions of pounds through the framework. Around half a million users are currently on the secure email service NHSmail, which runs on Microsoft Exchange 2007
Defense Vendors Stockpile Cash Ahead Of Cliff(Bloomberg Government) Defense contractors led by Boeing Co. and Lockheed Martin Corp. are stashing more cash amid the threat of automatic federal budget cuts and expiring tax breaks
Honeywell Readies For Defense Cuts(Wall Street Journal) Honeywell International Inc. said Monday it expects the bulk of looming U.S. defense cuts to be implemented, and in a sharp break with rivals said it welcomes the reductions
Pentagon Propaganda Plan Is Source Of Controversy(USA Today) Senior officers at the Pentagon are being advised on countering Taliban propaganda by a marketing expert whose company once weeded out reporters who wrote negative stories in Afghanistan and helped the military deceive the enemy in Iraq, according to military documents and interview
Cisco ponies up $1.2 billion to beef up BYOD credentials(Fierce Mobile IT) Cisco (NASDAQ: CSCO) is paying $1.2 billion in cash and retention bonuses for Meraki, a cloud-based provider of mobile device management, mobile device security and Wi-Fi connectivity, to boost its BYOD credentials. Meraki's products support BYOD, guest networking, application control, WAN optimization, application firewalls and other networking services
eBay swings axe at Paypal(Channelbiz UK) 325 jobs to go in restructuring. eBay has announced that it is committing to a Q4 pre-tax restructuring charge of $15 mllion, relating to Paypal staff reductions. In other words, today it gave 325 employees the sack
Products, Services, and Solutions
Petraeus Fallout: 5 Gmail Security Facts(InformationWeek) Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. View this complementary article to learn about the top information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job
Why Facebook is full of it(IT World) Facebook says it's not deliberately throttling news feeds to sell more ads. Maybe that is true. But one way or another, they're lying to us
ITC: 'Plug-and-play' keeps company ahead of cyber threats(intelligentutility) Independent transmission owner ITC Holdings (NYSE:ITC) is "very aware" of cybersecurity, and the company has been diligent about guarding against cyber threats for nearly a decade, ITC vice-president of grid development Terry Harvill told TransmissionHub in an interview on trends that industry representatives will discuss at a panel session during TransForum East coming up in December. I dont think that it is unique to the transmission industry or utility industry that we face an ever growing threat of IT attacks, Harvill said. ITC is an independent electricity transmission company with high-voltage transmission systems in Michigans Lower Peninsula and parts of Iowa, Minnesota, Illinois, Missouri and Kansas through its subsidiaries ITCTransmission, Michigan Electric Transmission, ITC Midwest and ITC Great Plains
Raiffeisen Introduces PhotoTAN to Protect Customer Transactions Against Malware(Softpeida) European banks, which are said to have implemented far more advanced security mechanisms to protect their customers than the ones from the US, are trying to live up to their reputation. Swiss bank Raiffeisen has introduced a new security feature that relies on Cronto's Visual Transaction Signing Solution. Available for customers in Switzerland starting today, the CrontoSign is designed to protect online transactions against cyberattacks that rely on clever information-stealing Trojans such as ZeuS
It's official: Windows 8 is a disappointment(Quartz) The new Microsoft operating system that all the reviewers called confusing isn't exactly winning over consumers either. Since its launch less than a month ago, Windows 8 has seen weaker sales than its predecessor Windows 7, an NDP Group report via AllThingD's John Packzkowski found. Sources inside Microsoft also say that the company doesn't like the early sales numbers it's seeing either,reports Paul Thurrott who runs a Supersite for Windows. "Microsoft has not met is internal projections for Windows 8 sales," he wrote. Microsoft blames the PC makers, says Thurrott. "My source cited to me the PC makers' 'inability to deliver,' a damning indictment that I think nicely explains why the firm felt it needed to start making its own PC and device hardware," he writes. But we suspect it has more to do with the newfangled tile look, which has users hesitant to switch away from the familiar Windows 7 start screen. Or maybe that's something that just takes getting used to, in which case we should expect a slow build for Windows 8?s impending smash success
Four Ways to Turn Insiders Into Assets(Dark Reading) Stop thinking about employees as threats and train them to make your company harder to attack. Jayson Street has few problems walking into businesses and getting access to sensitive company data. A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail
Software 'glitches' are not acceptable. Learn from aviation(TechWorld) The term glitch is often used to describe an error in software, but the word itself undermines the severity of such errors, according to open source software company Adacore. Only this year, a so-called software glitch was responsible for a substantial IT failure at the Royal Bank of Scotland (RBS), which meant that millions of customers could not gain access to funds in their bank accounts. Events from the Wall Street Crash to Toyota's brake failings in 2009 have also been attributed to software glitches trivialising the problem and implying that it can be reasoned away
Total Information Assurance Framework For Modular Implementation(Blogger News Network) Subsequently as BS7799 evolved into ISO 27001 and new frameworks such as COBIT 5 have extended the "Information Security" concept to "Information Assurance" and added Authenticity and Non Repudiation as two other factors in defining Information
What's preferable: Exceptions or explicit error testing?(Ars Technica) A burning question from efficiency and security standpoints. Richard Keller asks: I often come across heated blog posts where the author uses the argument: "exceptions vs explicit error checking" to advocate his/her preferred language over some other language. The general consensus seems to be that languages that make use of exceptions are inherently better / cleaner than languages which rely heavily on error checking through explicit function calls. Is the use of exceptions considered better programming practice than explicit error checking, and if so, why
New Neural Chip Mimics Brain Function(SIGNAL) Researchers working for the U.S. Army have developed and patented a neural computer chip that mimics human brain functions and could potentially be used for quantum computing
Scientists Find Cheaper Way to Ensure Internet Security(New York Times) Scientists at Toshiba and Cambridge University have perfected a technique that offers a less expensive way to ensure the security of the high-speed fiber optic cables that are the backbone of the modern Internet. The research, which will be published Tuesday in the science journal Physical Review X, describes a technique for making infinitesimally short time measurements needed to capture pulses of quantum light hidden in streams of billions of photons transmitted each second in data networks. Scientists used an advanced photodetector to extract weak photons from the torrents of light pulses carried by fiber optic cables, making it possible to safely distribute secret keys necessary to scramble data over distances up to 56 miles
Quantum cryptography done on standard broadband fibre(BBC News) The "uncrackable codes" made by exploiting the branch of physics called quantum mechanics have been sent down kilometres of standard broadband fibre. This "quantum key distribution" has until now needed a dedicated fibre separate from that used to
What's The Big Idea? Pentagon Agency Backs Student Tinkerers To Find Out(NPR.org) At Analy High School in Sebastopol, Calif., three students are taking apart a bicycle that generates electricity. Another student is calibrating a laser cutter. They're all working in a cavernous building that once held the school's metal and electronics shop. Let's just say it has been updated
Legislation, Policy, and Regulation
Congresswoman Crowdsourcing Domain-Seizure Bill on Reddit(Wired Threat Level) Rep. Zoe Lofgren (D-California) has taken to the social-news site Reddit to crowdsource legislation that would make it more difficult for U.S. authorities to seize domains facilitating copyright infringement
UK govt tells banks to hand over account data to customers(Finextra) The UK government has warned banks that it is prepared to legislate to force them to hand over current account and credit card data to customers who request it. The threat relates to the midata project, which is designed to give Brits more access to, and control over, the data that companies hold on them so that they can get greater insight into their own spending habits and improve buying decisions. Lloyds Banking Group, MasterCard and Visa are among the big firms in the finance, energy and telecoms sectors to voluntarily back the project, promising to give customers who ask for it their data in an electronic machine-readable standard format
Philippines to set up cybersecurity operations center(ZDNet) The Armed Forces of the Philippines (AFP) will be establishing an operations center to counter cybersecurity threats. According to Manila Standard Today news site on Monday, the military's project is dubbed the Command, Control, Communications, Computers, Intelligence, Surveillance, Target Acquisition and Reconnaissance (C4ISTAR), military spokesperson Arnulfo Burgos said in a statement. It is "envisioned by the Department of National Defense and the AFP for a comprehensive upgrading and acquisition of modern equipment and solutions, under the AFP modernization program for efficient and effective conduct of operations," he said
Moneygram pays $100m to settle wire fraud charges(Finextra) Moneygram has agreed to pay $100 million to settle US charges that it criminally aided and abetted wire fraud and failed to maintain an effective anti-money laundering programme. The Department of Justice says that between 2004 and 2009, the firm violated the law by processing thousands of transactions for its agents "known to be involved" in a scam defrauding American citizens. The scams - which generally targeted the elderly and other vulnerable groups - included posing as victims' relatives in urgent need of money and falsely promising victims large cash prizes
Judge approves $22.5M Google fine for violating Safari privacy(Naked Security) A U.S. federal judge in San Francisco approved a legal settlement between the U.S. Federal Trade Commission (FTC) and Google on Friday to the tune of $22. 5M USD, declaring that Google mislead consumers about the privacy protections offered in its Safari web browser. Federal Judge Susan Illston gave her blessing to the settlement in a ruling on Friday, declaring the agreement "fair, adequate and reasonable." the Associated Press reported
Chinese Telecom Firms Pose a Threat to US National Security(U.S. News & World Report) A recent report of the U.S. National Counterintelligence Executive proclaimed that "Chinese actors are the world's most active and persistent perpetrators of economic espionage." And according to Keith Alexander, director of the National Security
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
IRISSCERT Cyber Crime Conference(Dublin, Ireland, November 22, 2012) The IRISSCERT Cyber Crime Conference will be held this year on Thursday the 22nd of November 2012 in the D4Berkley Court Hotel, in Ballsbridge Dublin. This is an all day conference which focuses on providing...
Digital Security Summit(Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12(, January 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO...
CIO Cloud Summit 2012(, January 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
2012 European Community SCADA and Process Control Summit(Barcelona, Spain, December 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations...
#BSidesBOS(Cambridge, Massachusetts, USA, February 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
TechMentor Orlando 2013(Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...
e-Crime Congress 2013(London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...
The Future of Cyber Security 2013(London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference(Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.